There's no "disabling wireguard" in Tailscale unless you don't run it at all.

You can secure this by:

- Not enabling the SSH feature on hosts where it's not needed - Creating ACLs so only certain clients are allowed access.

So essentially, just use the same mechanisms as for everything else in Tailscale.